SB2026061904 - Multiple vulnerabilities in gogs

Description

This security bulletin contains information about 23 vulnerabilities.

1) Information disclosure (CVE-ID: CVE-2026-52815)

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper access control in the GET /api/v1/orgs/:orgname/teams endpoint when handling unauthenticated API requests. A remote attacker can send a crafted GET request to disclose sensitive information.

The response exposes team IDs, names, descriptions, and permission levels for arbitrary organizations.

2) Resource exhaustion (CVE-ID: CVE-2026-52814)

CWE-ID: CWE-400 - Resource exhaustion

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to uncontrolled resource consumption in the built-in Go SSH server when handling inbound SSH connections without receiving the protocol banner. A remote attacker can open multiple TCP connections and withhold the SSH banner to cause a denial of service.

Only instances using the built-in Go SSH server are vulnerable.

3) Relative Path Traversal (CVE-ID: CVE-2026-52813)

CWE-ID: CWE-23 - Relative Path Traversal

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to path traversal in organization name handling in internal/database/org.go and repository path resolution when processing organization and repository creation requests. A remote attacker can create an organization name containing traversal sequences and a nested repository to overwrite Git hook files and execute arbitrary code.

In the default configuration, self-registration and organization creation are enabled, and successful exploitation results in code execution as the git user.

4) Insufficient verification of data authenticity (CVE-ID: CVE-2026-52812)

CWE-ID: CWE-345 - Insufficient Verification of Data Authenticity

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to disclose sensitive information from private repositories across tenants.

The vulnerability exists due to insufficient verification of data authenticity in the Git LFS upload and download handling when processing an upload for an existing object identifier. A remote user can upload arbitrary bytes while claiming a known object identifier to disclose sensitive information from a private repository through their own repository's download endpoint.

Exploitation requires write access to one repository, Git LFS to be enabled, and knowledge of a target object identifier already present on the instance.

5) Link following (CVE-ID: CVE-2026-52811)

CWE-ID: CWE-59 - Improper Link Resolution Before File Access ('Link Following')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to improper link resolution before file access in (*Repository).UploadRepoFiles when processing a multipart upload with a crafted filename that traverses a previously committed parent directory symlink. A remote user can upload and commit a specially crafted file to execute arbitrary code.

The issue affects Linux and macOS environments and requires repository write access. A literal backslash in the uploaded filename is converted into a path separator, allowing the write to escape the repository working tree through a committed directory symlink.

6) Improper access control (CVE-ID: CVE-2026-52810)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to gain write access to a repository.

The vulnerability exists due to improper access control in the Git smart HTTP repository RPC handler when handling a POST request to the git-receive-pack endpoint with a forged service=git-upload-pack query parameter. A remote user can send a specially crafted request to gain write access to a repository.

Exploitation is possible for read-only collaborators on repositories that are not anonymously readable, and on instances with REQUIRE_SIGNIN_VIEW enabled any signed-in user can target public repositories.

7) Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) (CVE-ID: N/A)

CWE-ID: CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to execute arbitrary script in the victim's browser.

The vulnerability exists due to improper neutralization of script-related html tags in a web page in the .ipynb file renderer when rendering user-supplied Jupyter notebook files. A remote user can create a crafted repository file and trick the victim into visiting the rendered file to execute arbitrary script in the victim's browser.

The issue can lead to account takeover when the victim views the malicious notebook file.

8) Insufficient Session Expiration (CVE-ID: CVE-2026-52809)

CWE-ID: CWE-613 - Insufficient Session Expiration

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to take over a victim account.

The vulnerability exists due to insufficient session expiration in password-reset token generation and verification in internal/userx/userx.go, internal/email/email.go, and internal/route/user/auth.go when handling password-reset requests and validating reset tokens. A remote attacker can use an intercepted password-reset token after the configured reset window has expired to take over a victim account.

User interaction is required because the victim must initiate a password-reset request, and exploitation is possible when the reset lifetime is configured shorter than the activation lifetime.

9) Incorrect authorization (CVE-ID: CVE-2026-52808)

CWE-ID: CWE-863 - Incorrect Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to modify repository settings and trigger mirror synchronization.

The vulnerability exists due to incorrect authorization in the repository settings API endpoints when handling authenticated API requests to update issue tracker settings, wiki settings, or mirror synchronization. A remote user can send crafted API requests to modify repository settings and trigger mirror synchronization.

The issue affects write-level collaborators who can access admin-equivalent endpoints for issue tracker, wiki, and mirror settings without repository admin privileges.

10) Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) (CVE-ID: CVE-2026-52816)

CWE-ID: CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to execute arbitrary JavaScript in the browser through cross-site scripting.

The vulnerability exists due to improper neutralization of script-related html tags in a web page in the POST /-/api/sanitize_ipynb endpoint when processing user-supplied ipynb content containing data: uris. A remote user can send crafted content to the sanitization endpoint to execute arbitrary JavaScript in the browser through cross-site scripting.

The issue stems from allowing unrestricted data: URIs, including data:text/html, in sanitized output.

11) Cross-site scripting (CVE-ID: CVE-2026-52807)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear

The vulnerability allows a remote user to execute arbitrary JavaScript in a victim's browser session.

The vulnerability exists due to cross-site scripting in the milestone dropdown on the new issue page when rendering a stored milestone name and processing dropdown interaction. A remote user can create a milestone with a crafted HTML/JavaScript payload to execute arbitrary JavaScript in a victim's browser session.

User interaction is required with the milestone dropdown on the new issue page.

12) Command injection (CVE-ID: CVE-2026-52806)

CWE-ID: CWE-77 - Command injection

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to execute arbitrary code on the server.

The vulnerability exists due to command injection in the pull request merge rebase operation when processing a specially crafted pull request base branch name during a rebase-before-merging action. A remote user can create a pull request with a branch name that injects the --exec option into git rebase to execute arbitrary code on the server.

Exploitation requires the rebase-before-merging option to be enabled for the repository.

13) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2026-52805)

CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:N/SC:L/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper input validation in the repository migration functionality when processing migration requests that follow HTTP redirects. A remote user can submit a public-looking repository URL that redirects to a blocked internal Git endpoint to disclose sensitive information.

User interaction is required to initiate the migration request.

14) Off-by-one (CVE-ID: CVE-2026-52804)

CWE-ID: CWE-193 - Off-by-one Error

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a local user to escalate privileges.

The vulnerability exists due to an off-by-one error in the ChangeCollaborationAccessMode function when handling collaboration access mode changes from query parameters. A local user can send a specially crafted POST request with mode=4 to escalate privileges.

The issue affects the web route for collaboration settings, while the API route that uses ParseAccessMode is not affected. The escalated owner-level access persists across sessions.

15) Open redirect (CVE-ID: CVE-2026-52802)

CWE-ID: CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to redirect users to arbitrary external sites.

The vulnerability exists due to improper url validation in the redirect_to parameter handling when processing redirect requests. A remote attacker can supply a crafted redirect_to parameter to redirect users to arbitrary external sites.

User interaction is required because the victim must follow a crafted link and complete the affected flow.

16) Input validation error (CVE-ID: CVE-2026-52801)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to disclose sensitive information and cause a denial of service.

The vulnerability exists due to improper input validation in the Mirror Settings SaveAddress function when processing repository mirror settings. A remote user can supply a local repository path to disclose sensitive information and cause a denial of service.

The issue provides an alternative path to local repository import outside the validation enforced by the New Migration functionality. There is also a potential issue of blind SSRF.

17) Cross-site request forgery (CVE-ID: CVE-2026-52800)

CWE-ID: CWE-352 - Cross-Site Request Forgery (CSRF)

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

The vulnerability allows a remote attacker to escalate privileges.

The vulnerability exists due to cross-site request forgery in the organization team member management endpoints when handling crafted GET requests to state-changing routes. A remote attacker can trick an organization owner into visiting a crafted link to escalate privileges.

User interaction is required, and the victim must be logged in as an organization owner.

18) Authorization bypass through user-controlled key (CVE-ID: CVE-2026-52799)

CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to missing authorization in the attachment download endpoint when handling requests for attachment UUIDs. A remote attacker can send a request for a known attachment UUID to disclose sensitive information.

Unauthenticated exploitation requires REQUIRE_SIGNIN_VIEW to be set to false. If sign-in is required, a logged-in user without access to the target repository may still retrieve the attachment.

19) Cross-site scripting (CVE-ID: CVE-2026-52798)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear

The vulnerability allows a remote user to execute arbitrary JavaScript in the victim's browser within the Gogs origin.

The vulnerability exists due to cross-site scripting in the .ipynb preview markdown cell renderer when re-rendering sanitized notebook content on the client side. A remote user can commit a specially crafted .ipynb file containing a javascript: link and trick the victim into clicking the rendered link to execute arbitrary JavaScript in the victim's browser within the Gogs origin.

User interaction is required to click the rendered link in the notebook preview.

20) Authentication Bypass by Spoofing (CVE-ID: CVE-2026-25119)

CWE-ID: CWE-290 - Authentication Bypass by Spoofing

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber

The vulnerability allows a remote attacker to bypass authentication and impersonate arbitrary users.

The vulnerability exists due to authentication bypass by spoofing in the authenticatedUser function in internal/context/auth.go when handling reverse proxy authentication headers from incoming HTTP requests. A remote attacker can send a specially crafted request with a forged authentication header to bypass authentication and impersonate arbitrary users.

Only instances with reverse proxy authentication enabled are vulnerable. If automatic reverse proxy user registration is enabled, exploitation can also create a new activated account.

21) Input validation error (CVE-ID: CVE-2025-64719)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to cause a denial of service.

The vulnerability exists due to improper input validation in repository and wiki file listing pages when recovering commit information for crafted file or page names containing incomplete git pathspec sequences. A remote privileged user can create a specially crafted file or wiki page name to cause a denial of service.

The issue affects the web interface for repository or wiki listings and persists as long as the crafted file remains present.

22) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2026-47267)

CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to access internal network resources.

The vulnerability exists due to server-side request forgery in webhook deliveries when following redirects from user-supplied webhook URLs. A remote user can configure a webhook that returns a redirect to an internal address to access internal network resources.

The issue can be exploited because redirects are followed even when the redirected hostname resolves inside local CIDR ranges.

23) Input validation error (CVE-ID: CVE-2026-52796)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to cause a denial of service.

The vulnerability exists due to improper input validation in the issue index pattern rendering logic in internal/markup/markup.go when rendering issue index patterns. A remote user can configure a specially crafted issue index pattern and trigger its rendering to cause a denial of service.

User interaction is required to access a page that renders the affected issue index.

Remediation

Install update from vendor's website.

References

• https://github.com/gogs/gogs/security/advisories/GHSA-744x-3838-5r56
• https://github.com/gogs/gogs/security/advisories/GHSA-xp79-5mx3-jx52
• https://github.com/gogs/gogs/security/advisories/GHSA-c39w-43gm-34h5
• https://github.com/gogs/gogs/blob/d7571322a04a29476d4241406ed50bf7eef0a5b7/internal/database/org.go#L165
• https://github.com/gogs/gogs/security/advisories/GHSA-6p9m-q3jp-47h4
• https://github.com/gogs/gogs
• https://github.com/gogs/gogs/security/advisories/GHSA-89mr-xqfv-758m
• https://github.com/gogs/gogs/security/advisories/GHSA-wmfg-5p4h-5fw3
• https://github.com/gogs/gogs/security/advisories/GHSA-6vxv-wg6j-5qwp
• https://github.com/gogs/gogs/blob/7297aee50d4c115836c7de8a3a233daaef87b911/templates/base/head.tmpl#L47
• https://github.com/gogs/gogs/security/advisories/GHSA-5c3f-6486-3g7g
• https://github.com/gogs/gogs/security/advisories/GHSA-268j-37xf-pp52
• https://github.com/gogs/gogs/security/advisories/GHSA-3w28-36p9-w929
• https://github.com/gogs/gogs/security/advisories/GHSA-vcm5-gvmp-78mp
• https://github.com/gogs/gogs/security/advisories/GHSA-qf6p-p7ww-cwr9
• https://github.com/gogs/gogs/blob/v0.14.2/internal/database/pull.go#L282
• https://github.com/gogs/gogs/security/advisories/GHSA-g2f5-gjr4-qjvm
• https://github.com/gogs/gogs/security/advisories/GHSA-4565-r4x7-hg8j
• https://github.com/gogs/gogs/security/advisories/GHSA-xxhq-69mf-w8cr
• https://github.com/gogs/gogs/security/advisories/GHSA-wv27-2vqp-j7g5
• https://github.com/gogs/gogs/security/advisories/GHSA-pwx3-qcgw-vh7h
• https://github.com/gogs/gogs/security/advisories/GHSA-p9f5-h3rx-j5qw
• https://github.com/gogs/gogs/security/advisories/GHSA-jq8v-rmf6-65jw
• https://github.com/gogs/gogs/security/advisories/GHSA-w6j9-vw59-27wv
• https://github.com/gogs/gogs/security/advisories/GHSA-3qq3-668m-v9mj
• https://github.com/gogs/gogs/blob/89f0f86c7e1a3be7f48d99e27818a79d17357558/internal/route/repo/view.go#L56
• https://github.com/gogs/gogs/security/advisories/GHSA-c4v7-xg93-qf8g
• https://github.com/gogs/gogs/security/advisories/GHSA-4j89-2c4f-44c6